1

I've been running the following commands on W12 Server :-

setspn -A HTTP/ krbspn

ktpass /princ HTTP/@ /crypto ALL /ptype krb5_nt_principal /mapuser krbspn c:\ticket\krbspn.keytab -kvno 0 /pass Pa$$w0rd

and kinit krbspn gives the correct result, however kinit HTTP/ returns :-

KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:221) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.(ASRep.java:60) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ... 4 more

I have all ready checked with forward and reverse DNS and they are working fine.

Fun fact :-

I had used these exact commands with the same SPN name on this same machine and everything was working fine for months. But 2 days back just to demo I did :-

setspn -D HTTP/ krbspn

and then did the above commands again, and now it's broken :-(

Any help is appreciated..

Thanks, Nikhil

Nikhil L
  • 175
  • 1
  • 3
  • 16
  • I think I see the problem. But first, what version of Java are you running on the server where you're running _kinit_? – T-Heron Dec 21 '16 at 11:48
  • @T-Heron jdk 1.7 51 – Nikhil L Dec 23 '16 at 03:52
  • Are you ready to try a few things? If they work, we can wrap them into an answer. (1) In this: _setspn -A HTTP/ krbspn_ has a gap of whitespace between _/_ and _krbspn_. There must not be a gap there. (2) In _ktpass /princ HTTP/@ /crypto ALL_, there must be some kind of hostname specified after _HTTP/_ but before the _@_, preferably a fully-qualified DNS name. (3) _kinit HTTP/_ by itself will always fail, because the SPN argument is incomplete, you must have some kind of hostname following _HTTP/_ else lookups into the KDC won't find anything. Please post full un-edited ktpass command – T-Heron Dec 23 '16 at 03:59
  • For an example of how to run the ktpass command, refer to this link: [Kerberos Keytabs – Explained](http://social.technet.microsoft.com/wiki/contents/articles/36470.kerberos-keytabs-explained.aspx). The example _ktpass_ command is down towards bottom of the article. – T-Heron Dec 23 '16 at 04:07
  • @T-Heron ok trying out your suggestions – Nikhil L Dec 23 '16 at 04:18
  • @T-Heron - hey buddy - I tried out your suggestions and it seems working fine right now. - However I did find a discrepancy, if we play around too much with the same SPN name, it sometimes gives the client not found in database error. I didn't find why this happens. Does W12 server retain some cache wherein it stores these SPNs and the cache is reset after some time? – Nikhil L Dec 26 '16 at 05:14
  • Glad to hear its resolved. The new question you just presented seems somewhat un-related; we could carry this discussion on into extended comments or maybe you could ask it as a new question. I’ve composed an answer, if you would mark it as such that would help future readers. All that said, the SPN is how Kerberos clients find Kerberized resources in the realm. If you alter it, and then look for the previous name, you'll get the "client not found" message. There's a cache in many different places when it comes to Kerberos, are you talking on the KDC, the client, or on the HTTP server? – T-Heron Dec 26 '16 at 14:19
  • Thanks a lot buddy, I am talking about the cache on KDC or Windows server - it's better I ask a new question - will paste the link here and we could continue this in that question. – Nikhil L Dec 26 '16 at 14:24
  • Acknowledged. I'm driving up the US northeast coast today, may not get back to it until tomorrow but I will review in detail when I do. – T-Heron Dec 26 '16 at 14:39
  • @T-Heron - you can find my new question [here](http://stackoverflow.com/questions/41355755/kerberos-spn-gets-cached-on-windows-servers) – Nikhil L Dec 28 '16 at 05:18
  • Got it and just answered. Let us continue over in that thread. – T-Heron Dec 28 '16 at 12:50

1 Answers1

1
  1. setspn -A HTTP/ krbspn has a gap of whitespace after / and before krbspn. There must not be any gap there.
  2. In ktpass /princ HTTP/@ /crypto ALL, there must be some kind of hostname specified after HTTP/ and before @, preferably a fully-qualified DNS name.
  3. kinit HTTP/ by itself will always fail, because the SPN argument is incomplete, you must have some kind of hostname following HTTP/ or else lookups into the KDC won't find anything.

For an example of how to run the ktpass command, refer to this link: Kerberos Keytabs – Explained. The example ktpass command is down towards bottom of the article. If you follow this, the SPN and Keytab will be correctly built and if you followed everything else correctly Kerberos authentication will be successful.

T-Heron
  • 5,385
  • 7
  • 26
  • 52